I neglected to mention earlier that these problems were showing up on juju-core 1.21.1-0ubuntu1~14.04.1~juju1.
I tried again with the same environment on juju-core 1.20.14-0ubuntu1~14.04.1~juju1 (which no longer seems to be present in the repos - why?) and the problem does not occur. Here is a log of a manual connection attempt with the rsyslog configuration deployed by 1.20.14:
root@rasalhague:/var/log/juju# openssl s_client -CAfile ca-cert.pem -connect 10.49.4.0:6514
CONNECTED(00000003)
depth=1 O = juju, CN = juju-generated CA for environment \"rsyslog\"
verify return:1
depth=0 O = juju, CN = *
verify return:1
---
Certificate chain
0 s:/O=juju/CN=*
i:/O=juju/CN=juju-generated CA for environment "rsyslog"
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICOTCCAaSgAwIBAgIBADALBgkqhkiG9w0BAQUwRTENMAsGA1UEChMEanVqdTE0
MDIGA1UEAwwranVqdS1nZW5lcmF0ZWQgQ0EgZm9yIGVudmlyb25tZW50ICJyc3lz
bG9nIjAeFw0xNTAyMDQwNjI3MjZaFw0yNTAyMDQwNjMyMjVaMBsxDTALBgNVBAoT
BGp1anUxCjAIBgNVBAMTASowgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALek
sdX50hAu67zJXx3pgIQgZRS9VxU9+hFJCNBdP4f4AAr66kIiD3mDqFgK/m6Hikjz
Ygl5I1mR4IPvU8fdLDO73N09Z79dAo/6BmJe4GMG8q5ZuzKvGuBKQEwyH5Au4hzp
Hh+CK8uzJ4z9D+wL90nCuBlrNIonWqnCD9uRFBkVAgMBAAGjZzBlMA4GA1UdDwEB
/wQEAwIAqDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUYchdTv6AxFgO
Vhl0CCdbD5tcDW8wHwYDVR0jBBgwFoAUi89ZzFuSarbzgsLFeQc7llHZsNcwCwYJ
KoZIhvcNAQEFA4GBAFD69qxiD/ZCdRz8z1+m/up11gsq78GgE0/pLXV+EB7tZfAz
3mehJEzGNYZV365U6//6+Tw07nUY/S8HHliPsVpmzdS8JdzmInlQnbNPHokwNySP
LbQJlmkGKNy5RIG/zuT5aMpGEdd6wkqfMLSIbvY89dF3+YL2rnPe+TBll2Ig
-----END CERTIFICATE-----
subject=/O=juju/CN=*
issuer=/O=juju/CN=juju-generated CA for environment "rsyslog"
---
Acceptable client certificate CA names
/O=juju/CN=juju-generated CA for environment "rsyslog"
/O=juju/CN=juju-generated CA for environment "rsyslog"
---
SSL handshake has read 1120 bytes and written 547 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
Session-ID: CA6FCBCD53F11C86AE130265CC4CA7568876B202ABD9EDC984FF85FE9CD8BA3D
Session-ID-ctx:
Master-Key: AA3880BEB10E8EE5B7AF58ED3477823079E3523F98756D42366B521D6361E5E111B82165EEED67D21371EF4A643A6888
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1423031626
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
^C
root@rasalhague:/var/log/juju#
I neglected to mention earlier that these problems were showing up on juju-core 1.21.1- 0ubuntu1~ 14.04.1~ juju1.
I tried again with the same environment on juju-core 1.20.14- 0ubuntu1~ 14.04.1~ juju1 (which no longer seems to be present in the repos - why?) and the problem does not occur. Here is a log of a manual connection attempt with the rsyslog configuration deployed by 1.20.14:
root@rasalhague :/var/log/ juju# openssl s_client -CAfile ca-cert.pem -connect 10.49.4.0:6514 juju/CN= juju-generated CA for environment "rsyslog" BAgIBADALBgkqhk iG9w0BAQUwRTENM AsGA1UEChMEanVq dTE0 qdS1nZW5lcmF0ZW QgQ0EgZm9yIGVud mlyb25tZW50ICJy c3lz yMDQwNjI3MjZaFw 0yNTAyMDQwNjMyM jVaMBsxDTALBgNV BAoT VBAMTASowgZ8wDQ YJKoZIhvcNAQEBB QADgY0AMIGJAoGB ALek pgIQgZRS9VxU9+ hFJCNBdP4f4AAr6 6kIiD3mDqFgK/ m6Hikjz dLDO73N09Z79dAo /6BmJe4GMG8q5Zu zKvGuBKQEwyH5Au 4hzp wL90nCuBlrNIonW qnCD9uRFBkVAgMB AAGjZzBlMA4GA1U dDwEB VHSUEDDAKBggrBg EFBQcDATAdBgNVH Q4EFgQUYchdTv6A xFgO wHwYDVR0jBBgwFo AUi89ZzFuSarbzg sLFeQc7llHZsNcw CwYJ BAFD69qxiD/ ZCdRz8z1+ m/up11gsq78GgE0 /pLXV+EB7tZfAz U6//6+Tw07nUY/ S8HHliPsVpmzdS8 JdzmInlQnbNPHok wNySP /zuT5aMpGEdd6wk qfMLSIbvY89dF3+ YL2rnPe+ TBll2Ig /O=juju/ CN=* /O=juju/ CN=juju- generated CA for environment "rsyslog" CN=juju- generated CA for environment "rsyslog" CN=juju- generated CA for environment "rsyslog" 6AE130265CC4CA7 568876B202ABD9E DC984FF85FE9CD8 BA3D 5B7AF58ED347782 3079E3523F98756 D42366B521D6361 E5E111B82165EEE D67D21371EF4A64 3A6888 :/var/log/ juju#
CONNECTED(00000003)
depth=1 O = juju, CN = juju-generated CA for environment \"rsyslog\"
verify return:1
depth=0 O = juju, CN = *
verify return:1
---
Certificate chain
0 s:/O=juju/CN=*
i:/O=
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICOTCCAaSgAwI
MDIGA1UEAwwranV
bG9nIjAeFw0xNTA
BGp1anUxCjAIBgN
sdX50hAu67zJXx3
Ygl5I1mR4IPvU8f
Hh+CK8uzJ4z9D+
/wQEAwIAqDATBgN
Vhl0CCdbD5tcDW8
KoZIhvcNAQEFA4G
3mehJEzGNYZV365
LbQJlmkGKNy5RIG
-----END CERTIFICATE-----
subject=
issuer=
---
Acceptable client certificate CA names
/O=juju/
/O=juju/
---
SSL handshake has read 1120 bytes and written 547 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
Session-ID: CA6FCBCD53F11C8
Session-ID-ctx:
Master-Key: AA3880BEB10E8EE
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1423031626
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
^C
root@rasalhague